On Tue, Mar 13, 2007 at 11:13:00AM +0200, Jonathan McKeown wrote:
> On Tuesday 13 March 2007 10:26, Gerhard Schmidt wrote:
>> > > It's a well-known problem rather than a bug, and it arises when looking
> > > up group information for a user. The system needs a list of all the
> > > groups the user is a member of. Since it's a list, not a single answer,
> > > you can't short-circuit the process with ``success'' after finding a
> > > single result: initgroups(3) must work through all possible sources of
> > > group information to build the list.
> >
> > I think its still a bug. You are right that all groups should be found so
> > the default for groups should be success=continue to have this done. But
> > when I explicily specify that on success the process should abort, it
> > should be done exacly this way.
>> You've now had responses from me and Joerg Pulz, and given us essentially the
> same reply. I'm not sure success means what you think it means: group
> information is a complete list, not ``first item found'' like a user account.
>> You have told the system to check for group information in files and ldap. You
> have, therefore, not succeeded in listing all groups until you have both
> searched the files *and* received a response from nss_ldap, either group
> information or NSS_STATUS_NOTFOUND.
>> It looks as though you can instruct nss_ldap to unconditionally return
> NSS_STATUS_NOTFOUND for a user, by adding
>> nss_initgroups_ignoreusers user
>> in nss_ldap.conf. I'd be interested to hear whether it works, having not
> tested it myself, but at the moment you're banging your head against the wall
> and shouting about how much it hurts. It will hurt less if you stop.
It's not. added nss_initgroups_ignoreusers ldap but it still blockes for
2 Min. I have found a solution that work for me. The problem is not that
nsswitch asks nss_ldap but that nss_ldap take so long to realise the
ldap isn't running. I have changed the bind_policy setting of nss_ldap from
hard to soft and nss_ldap fails without delay. So it's working for me
for now.
But still there is a problem with that. Right now there is no way we could
prevent any source from adding users to any group (e.g wheel). I think thats
a security problem in envoriments where you don't have control over all
sources used for authentication und usermanagement. If there was a way
you could tell the nss to stop wenn a group definition is found in a module
we had a way to stop this. That shouldn't be the default way but it schould
be possible.
Bye
Estartu
--
----------------------------------------------------------------------------
Gerhard Schmidt | Nick : estartu IRC : Estartu |
Fischbachweg 3 | | PGP Public Key
86856 Hiltenfingen | EMail: estartu at augusta.de | on request
Germany | |
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 305 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20070313/cea089ac/attachment.pgp